Changeset 49717 in webkit

Timestamp:

Oct 16, 2009, 5:28:19 PM (16 years ago)

Author:

[email protected]

Message:

Fast for-in enumeration: Cache JSPropertyNameIterator; cache JSStrings
in JSPropertyNameIterator; inline more code.

Patch by Geoffrey Garen <​[email protected]> on 2009-10-16
Reviewed by Oliver Hunt.

1.024x as fast on SunSpider (fasta: 1.43x as fast).

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):

• bytecode/Opcode.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetPropertyNames):
(JSC::BytecodeGenerator::emitNextPropertyName):

• bytecompiler/BytecodeGenerator.h: Added a few extra operands to

op_get_pnames and op_next_pname so that we can track iteration state
in the register file instead of in the JSPropertyNameIterator. (To be
cacheable, the JSPropertyNameIterator must be stateless.)

• interpreter/Interpreter.cpp:

(JSC::Interpreter::tryCachePutByID):
(JSC::Interpreter::tryCacheGetByID): Updated for rename to
"normalizePrototypeChain" and removal of "isCacheable".

(JSC::Interpreter::privateExecute): Updated for in-RegisterFile
iteration state tracking.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_get_pnames): Updated for in-RegisterFile
iteration state tracking.

(JSC::JIT::emit_op_next_pname): Inlined code generation for op_next_pname.

• jit/JITStubs.cpp:

(JSC::JITThunks::tryCachePutByID):
(JSC::JITThunks::tryCacheGetByID): Updated for rename to
"normalizePrototypeChain" and removal of "isCacheable".

(JSC::DEFINE_STUB_FUNCTION):

• jit/JITStubs.h:

(JSC::): Added has_property and to_object stubs. Removed op_next_pname
stub, since has_property is all we need anymore.

• parser/Nodes.cpp:

(JSC::ForInNode::emitBytecode): Updated for in-RegisterFile
iteration state tracking.

• runtime/JSCell.h:
• runtime/JSObject.cpp:

(JSC::JSObject::getPropertyNames): Don't do caching at this layer
anymore, since we don't create a JSPropertyNameIterator at this layer.

• runtime/JSPropertyNameIterator.cpp:

(JSC::JSPropertyNameIterator::create): Do do caching at this layer.
(JSC::JSPropertyNameIterator::get): Updated for in-RegisterFile
iteration state tracking.
(JSC::JSPropertyNameIterator::markChildren): Mark our JSStrings.

• runtime/JSPropertyNameIterator.h:

(JSC::JSPropertyNameIterator::size):
(JSC::JSPropertyNameIterator::setCachedStructure):
(JSC::JSPropertyNameIterator::cachedStructure):
(JSC::JSPropertyNameIterator::setCachedPrototypeChain):
(JSC::JSPropertyNameIterator::cachedPrototypeChain):
(JSC::JSPropertyNameIterator::JSPropertyNameIterator):
(JSC::Structure::setEnumerationCache): Don't store iteration state in
a JSPropertyNameIterator. Do cache a JSPropertyNameIterator in a
Structure.

• runtime/JSValue.h:

(JSC::asCell):

• runtime/MarkStack.h: Make those mischievous #include gods happy.

• runtime/ObjectConstructor.cpp:

• runtime/Operations.h:

(JSC::normalizePrototypeChain): Renamed countPrototypeChainEntriesAndCheckForProxies
to normalizePrototypeChain, since it changes dictionary prototypes to
non-dictionary objects.

• runtime/PropertyNameArray.cpp:

(JSC::PropertyNameArray::add):

• runtime/PropertyNameArray.h:

(JSC::PropertyNameArrayData::PropertyNameArrayData):
(JSC::PropertyNameArray::data):
(JSC::PropertyNameArray::size):
(JSC::PropertyNameArray::begin):
(JSC::PropertyNameArray::end): Simplified some code here to help with
current and future refactoring.

• runtime/Protect.h:
• runtime/Structure.cpp:

(JSC::Structure::~Structure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition): No need to clear
the enumeration cache with adding / removing properties without
transition. It is an error to add / remove properties without transition
once an object has been observed, and we can ASSERT to catch that.

• runtime/Structure.h:

(JSC::Structure::enumerationCache): Changed the enumeration cache to
hold a JSPropertyNameIterator.

• runtime/StructureChain.cpp:
• runtime/StructureChain.h:

(JSC::StructureChain::head): Removed StructureChain::isCacheable because
it was wrong-headed in two ways: (1) It gave up when a prototype was a
dictionary, but instead we want un-dictionary heavily accessed
prototypes; (2) It folded a test for hasDefaultGetPropertyNames() into
a generic test for "cacheable-ness", but hasDefaultGetPropertyNames()
is only releavant to for-in caching.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/Opcode.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• interpreter/Interpreter.cpp (modified) (5 diffs)
• jit/JIT.cpp (modified) (2 diffs)
• jit/JIT.h (modified) (1 diff)
• jit/JITOpcodes.cpp (modified) (3 diffs)
• jit/JITStubs.cpp (modified) (6 diffs)
• jit/JITStubs.h (modified) (4 diffs)
• parser/Nodes.cpp (modified) (2 diffs)
• runtime/JSCell.h (modified) (1 diff)
• runtime/JSObject.cpp (modified) (1 diff)
• runtime/JSPropertyNameIterator.cpp (modified) (1 diff)
• runtime/JSPropertyNameIterator.h (modified) (3 diffs)
• runtime/JSValue.h (modified) (1 diff)
• runtime/MarkStack.h (modified) (1 diff)
• runtime/ObjectConstructor.cpp (modified) (1 diff)
• runtime/Operations.h (modified) (2 diffs)
• runtime/PropertyNameArray.cpp (modified) (1 diff)
• runtime/PropertyNameArray.h (modified) (3 diffs)
• runtime/Protect.h (modified) (1 diff)
• runtime/Structure.cpp (modified) (7 diffs)
• runtime/Structure.h (modified) (3 diffs)
• runtime/StructureChain.cpp (modified) (1 diff)
• runtime/StructureChain.h (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2009-10-16  Geoffrey Garen  <[email protected]>
+
+        Reviewed by Oliver Hunt.
+        
+        Fast for-in enumeration: Cache JSPropertyNameIterator; cache JSStrings
+        in JSPropertyNameIterator; inline more code.
+
+        1.024x as fast on SunSpider (fasta: 1.43x as fast).
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+        * bytecode/Opcode.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetPropertyNames):
+        (JSC::BytecodeGenerator::emitNextPropertyName):
+        * bytecompiler/BytecodeGenerator.h: Added a few extra operands to
+        op_get_pnames and op_next_pname so that we can track iteration state
+        in the register file instead of in the JSPropertyNameIterator. (To be
+        cacheable, the JSPropertyNameIterator must be stateless.)
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::tryCachePutByID):
+        (JSC::Interpreter::tryCacheGetByID): Updated for rename to
+        "normalizePrototypeChain" and removal of "isCacheable". 
+
+        (JSC::Interpreter::privateExecute): Updated for in-RegisterFile
+        iteration state tracking.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_get_pnames): Updated for in-RegisterFile
+        iteration state tracking.
+
+        (JSC::JIT::emit_op_next_pname): Inlined code generation for op_next_pname.
+
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCachePutByID):
+        (JSC::JITThunks::tryCacheGetByID): Updated for rename to
+        "normalizePrototypeChain" and removal of "isCacheable". 
+
+        (JSC::DEFINE_STUB_FUNCTION):
+        * jit/JITStubs.h:
+        (JSC::): Added has_property and to_object stubs. Removed op_next_pname
+        stub, since has_property is all we need anymore.
+
+        * parser/Nodes.cpp:
+        (JSC::ForInNode::emitBytecode): Updated for in-RegisterFile
+        iteration state tracking.
+
+        * runtime/JSCell.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::getPropertyNames): Don't do caching at this layer
+        anymore, since we don't create a JSPropertyNameIterator at this layer.
+
+        * runtime/JSPropertyNameIterator.cpp:
+        (JSC::JSPropertyNameIterator::create): Do do caching at this layer.
+        (JSC::JSPropertyNameIterator::get):  Updated for in-RegisterFile
+        iteration state tracking.
+        (JSC::JSPropertyNameIterator::markChildren): Mark our JSStrings.
+
+        * runtime/JSPropertyNameIterator.h:
+        (JSC::JSPropertyNameIterator::size):
+        (JSC::JSPropertyNameIterator::setCachedStructure):
+        (JSC::JSPropertyNameIterator::cachedStructure):
+        (JSC::JSPropertyNameIterator::setCachedPrototypeChain):
+        (JSC::JSPropertyNameIterator::cachedPrototypeChain):
+        (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
+        (JSC::Structure::setEnumerationCache): Don't store iteration state in
+        a JSPropertyNameIterator. Do cache a JSPropertyNameIterator in a
+        Structure.
+
+        * runtime/JSValue.h:
+        (JSC::asCell):
+        * runtime/MarkStack.h: Make those mischievous #include gods happy.
+
+        * runtime/ObjectConstructor.cpp:
+
+        * runtime/Operations.h:
+        (JSC::normalizePrototypeChain): Renamed countPrototypeChainEntriesAndCheckForProxies
+        to normalizePrototypeChain, since it changes dictionary prototypes to
+        non-dictionary objects.
+
+        * runtime/PropertyNameArray.cpp:
+        (JSC::PropertyNameArray::add):
+        * runtime/PropertyNameArray.h:
+        (JSC::PropertyNameArrayData::PropertyNameArrayData):
+        (JSC::PropertyNameArray::data):
+        (JSC::PropertyNameArray::size):
+        (JSC::PropertyNameArray::begin):
+        (JSC::PropertyNameArray::end): Simplified some code here to help with
+        current and future refactoring.
+
+        * runtime/Protect.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::~Structure):
+        (JSC::Structure::addPropertyWithoutTransition):
+        (JSC::Structure::removePropertyWithoutTransition): No need to clear
+        the enumeration cache with adding / removing properties without
+        transition. It is an error to add / remove properties without transition
+        once an object has been observed, and we can ASSERT to catch that.
+
+        * runtime/Structure.h:
+        (JSC::Structure::enumerationCache): Changed the enumeration cache to
+        hold a JSPropertyNameIterator.
+
+        * runtime/StructureChain.cpp:
+        * runtime/StructureChain.h:
+        (JSC::StructureChain::head): Removed StructureChain::isCacheable because
+        it was wrong-headed in two ways: (1) It gave up when a prototype was a
+        dictionary, but instead we want un-dictionary heavily accessed
+        prototypes; (2) It folded a test for hasDefaultGetPropertyNames() into
+        a generic test for "cacheable-ness", but hasDefaultGetPropertyNames()
+        is only releavant to for-in caching.
+
 2009-10-16  Steve Falkenburg  <[email protected]>
 

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1016 +1016 @@
         }
         case op_get_pnames: {
-            int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
+            int r0 = it[0].u.operand;
+            int r1 = it[1].u.operand;
             printf("[%4d] get_pnames\t %s, %s\n", location, registerName(r0).c_str(), registerName(r1).c_str());
+            it += OPCODE_LENGTH(op_get_pnames) - 1;
             break;
         }
         case op_next_pname: {
-            int dest = (++it)->u.operand;
-            int iter = (++it)->u.operand;
-            int offset = (++it)->u.operand;
+            int dest = it[0].u.operand;
+            int iter = it[4].u.operand;
+            int offset = it[5].u.operand;
             printf("[%4d] next_pname\t %s, %s, %d(->%d)\n", location, registerName(dest).c_str(), registerName(iter).c_str(), offset, location + offset);
+            it += OPCODE_LENGTH(op_next_pname) - 1;
             break;
         }

trunk/JavaScriptCore/bytecode/Opcode.h

@@ -153 +153 @@
         macro(op_to_primitive, 3) \
         \
-        macro(op_get_pnames, 3) \
-        macro(op_next_pname, 4) \
+        macro(op_get_pnames, 6) \
+        macro(op_next_pname, 7) \
         \
         macro(op_push_scope, 2) \

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1795 +1795 @@
 }
 
-RegisterID* BytecodeGenerator::emitNextPropertyName(RegisterID* dst, RegisterID* iter, Label* target)
+RegisterID* BytecodeGenerator::emitGetPropertyNames(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, Label* breakTarget)
 {
     size_t begin = instructions().size();
 
+    emitOpcode(op_get_pnames);
+    instructions().append(dst->index());
+    instructions().append(base->index());
+    instructions().append(i->index());
+    instructions().append(size->index());
+    instructions().append(breakTarget->bind(begin, instructions().size()));
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitNextPropertyName(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, RegisterID* iter, Label* target)
+{
+    size_t begin = instructions().size();
+
     emitOpcode(op_next_pname);
     instructions().append(dst->index());
+    instructions().append(base->index());
+    instructions().append(i->index());
+    instructions().append(size->index());
     instructions().append(iter->index());
     instructions().append(target->bind(begin, instructions().size()));

trunk/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -313 +313 @@
         void emitSubroutineReturn(RegisterID* retAddrSrc);
 
-        RegisterID* emitGetPropertyNames(RegisterID* dst, RegisterID* base) { return emitUnaryOp(op_get_pnames, dst, base); }
-        RegisterID* emitNextPropertyName(RegisterID* dst, RegisterID* iter, Label* target);
+        RegisterID* emitGetPropertyNames(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, Label* breakTarget);
+        RegisterID* emitNextPropertyName(RegisterID* dst, RegisterID* base, RegisterID* i, RegisterID* size, RegisterID* iter, Label* target);
 
         RegisterID* emitCatch(RegisterID*, Label* start, Label* end);

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -939 +939 @@
     }
 
-    StructureChain* protoChain = structure->prototypeChain(callFrame);
-    if (!protoChain->isCacheable()) {
-        vPC[0] = getOpcode(op_put_by_id_generic);
-        return;
-    }
-
     // Structure transition, cache transition info
     if (slot.type() == PutPropertySlot::NewProperty) {
@@ -951 +945 @@
             return;
         }
+
+        // put_by_id_transition checks the prototype chain for setters.
+        normalizePrototypeChain(callFrame, baseCell);
+
         vPC[0] = getOpcode(op_put_by_id_transition);
         vPC[4] = structure->previousID();
         vPC[5] = structure;
-        vPC[6] = protoChain;
+        vPC[6] = structure->prototypeChain(callFrame);
         vPC[7] = slot.cachedOffset();
         codeBlock->refStructures(vPC);
@@ -1050 +1048 @@
     }
 
-    size_t count = countPrototypeChainEntriesAndCheckForProxies(callFrame, baseValue, slot);
+    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase());
     if (!count) {
         vPC[0] = getOpcode(op_get_by_id_generic);
@@ -1056 +1054 @@
     }
 
-    StructureChain* protoChain = structure->prototypeChain(callFrame);
-    if (!protoChain->isCacheable()) {
-        vPC[0] = getOpcode(op_get_by_id_generic);
-        return;
-    }
-
     vPC[0] = getOpcode(op_get_by_id_chain);
     vPC[4] = structure;
-    vPC[5] = protoChain;
+    vPC[5] = structure->prototypeChain(callFrame);
     vPC[6] = count;
     vPC[7] = slot.cachedOffset();
@@ -3503 +3495 @@
     }
     DEFINE_OPCODE(op_get_pnames) {
-        /* get_pnames dst(r) base(r)
+        /* get_pnames dst(r) base(r) i(n) size(n) breakTarget(offset)
 
            Creates a property name list for register base and puts it
-           in register dst. This is not a true JavaScript value, just
-           a synthetic value used to keep the iteration state in a
-           register.
+           in register dst, initializing i and size for iteration. If
+           base is undefined or null, jumps to breakTarget.
         */
         int dst = vPC[1].u.operand;
         int base = vPC[2].u.operand;
-
-        callFrame->r(dst) = JSPropertyNameIterator::create(callFrame, callFrame->r(base).jsValue());
+        int i = vPC[3].u.operand;
+        int size = vPC[4].u.operand;
+        int breakTarget = vPC[5].u.operand;
+
+        JSValue v = callFrame->r(base).jsValue();
+        if (v.isUndefinedOrNull()) {
+            vPC += breakTarget;
+            NEXT_INSTRUCTION();
+        }
+
+        JSObject* o = v.toObject(callFrame);
+        Structure* structure = o->structure();
+        JSPropertyNameIterator* jsPropertyNameIterator = structure->enumerationCache();
+        if (!jsPropertyNameIterator || jsPropertyNameIterator->cachedPrototypeChain() != structure->prototypeChain(callFrame))
+            jsPropertyNameIterator = JSPropertyNameIterator::create(callFrame, o);
+
+        callFrame->r(dst) = jsPropertyNameIterator;
+        callFrame->r(base) = JSValue(o);
+        callFrame->r(i) = Register::withInt(0);
+        callFrame->r(size) = Register::withInt(jsPropertyNameIterator->size());
         vPC += OPCODE_LENGTH(op_get_pnames);
         NEXT_INSTRUCTION();
     }
     DEFINE_OPCODE(op_next_pname) {
-        /* next_pname dst(r) iter(r) target(offset)
-
-           Tries to copies the next name from property name list in
-           register iter. If there are names left, then copies one to
-           register dst, and jumps to offset target. If there are none
-           left, invalidates the iterator and continues to the next
+        /* next_pname dst(r) base(r) i(n) size(n) iter(r) target(offset)
+
+           Copies the next name from the property name list in
+           register iter to dst, then jumps to offset target. If there are no
+           names left, invalidates the iterator and continues to the next
            instruction.
         */
         int dst = vPC[1].u.operand;
-        int iter = vPC[2].u.operand;
-        int target = vPC[3].u.operand;
+        int base = vPC[2].u.operand;
+        int i = vPC[3].u.operand;
+        int size = vPC[4].u.operand;
+        int iter = vPC[5].u.operand;
+        int target = vPC[6].u.operand;
 
         JSPropertyNameIterator* it = callFrame->r(iter).propertyNameIterator();
-        if (JSValue temp = it->next(callFrame)) {
-            CHECK_FOR_TIMEOUT();
-            callFrame->r(dst) = JSValue(temp);
-            vPC += target;
-            NEXT_INSTRUCTION();
-        }
-        it->invalidate();
+        while (callFrame->r(i).i() != callFrame->r(size).i()) {
+            JSValue key = it->get(callFrame, asObject(callFrame->r(base).jsValue()), callFrame->r(i).i());
+            callFrame->r(i) = Register::withInt(callFrame->r(i).i() + 1);
+            if (key) {
+                CHECK_FOR_TIMEOUT();
+                callFrame->r(dst) = key;
+                vPC += target;
+                NEXT_INSTRUCTION();
+            }
+        }
 
         vPC += OPCODE_LENGTH(op_next_pname);

trunk/JavaScriptCore/jit/JIT.cpp

@@ -203 +203 @@
         DEFINE_BINARY_OP(op_lesseq)
         DEFINE_BINARY_OP(op_urshift)
-        DEFINE_UNARY_OP(op_get_pnames)
         DEFINE_UNARY_OP(op_is_boolean)
         DEFINE_UNARY_OP(op_is_function)
@@ -242 +241 @@
         DEFINE_OP(op_get_by_val)
         DEFINE_OP(op_get_global_var)
+        DEFINE_OP(op_get_pnames)
         DEFINE_OP(op_get_scoped_var)
         DEFINE_OP(op_instanceof)

trunk/JavaScriptCore/jit/JIT.h

@@ -714 +714 @@
         void emit_op_new_object(Instruction*);
         void emit_op_new_regexp(Instruction*);
+        void emit_op_get_pnames(Instruction*);
         void emit_op_next_pname(Instruction*);
         void emit_op_not(Instruction*);

trunk/JavaScriptCore/jit/JITOpcodes.cpp

@@ -34 +34 @@
 #include "JSCell.h"
 #include "JSFunction.h"
+#include "JSPropertyNameIterator.h"
 #include "LinkBuffer.h"
 
@@ -1196 +1197 @@
 }
 
+void JIT::emit_op_get_pnames(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int base = currentInstruction[2].u.operand;
+    int i = currentInstruction[3].u.operand;
+    int size = currentInstruction[4].u.operand;
+    int breakTarget = currentInstruction[5].u.operand;
+
+    JumpList isNotObject;
+
+    emitLoad(base, regT1, regT0);
+    if (!m_codeBlock->isKnownNotImmediate(base))
+        isNotObject.append(branch32(NotEqual, regT1, Imm32(JSValue::CellTag)));
+    if (base != m_codeBlock->thisRegister()) {
+        loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
+        isNotObject.append(branch32(NotEqual, Address(regT2, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType)));
+    }
+
+    // We could inline the case where you have a valid cache, but
+    // this call doesn't seem to be hot.
+    Label isObject(this);
+    JITStubCall getPnamesStubCall(this, cti_op_get_pnames);
+    getPnamesStubCall.addArgument(regT0);
+    getPnamesStubCall.call(dst);
+    load32(Address(regT0, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStringsSize)), regT3);
+    store32(Imm32(0), addressFor(i));
+    store32(regT3, addressFor(size));
+    Jump end = jump();
+
+    isNotObject.link(this);
+    addJump(branch32(Equal, regT1, Imm32(JSValue::NullTag)), breakTarget);
+    addJump(branch32(Equal, regT1, Imm32(JSValue::UndefinedTag)), breakTarget);
+    JITStubCall toObjectStubCall(this, cti_to_object);
+    toObjectStubCall.addArgument(regT1, regT0);
+    toObjectStubCall.call(base);
+    jump().linkTo(isObject, this);
+    
+    end.link(this);
+}
+
 void JIT::emit_op_next_pname(Instruction* currentInstruction)
 {
     int dst = currentInstruction[1].u.operand;
-    int iter = currentInstruction[2].u.operand;
-    int target = currentInstruction[3].u.operand;
-
-    load32(Address(callFrameRegister, (iter * sizeof(Register))), regT0);
-
-    JITStubCall stubCall(this, cti_op_next_pname);
+    int base = currentInstruction[2].u.operand;
+    int i = currentInstruction[3].u.operand;
+    int size = currentInstruction[4].u.operand;
+    int it = currentInstruction[5].u.operand;
+    int target = currentInstruction[6].u.operand;
+    
+    JumpList callHasProperty;
+
+    Label begin(this);
+    load32(addressFor(i), regT0);
+    Jump end = branch32(Equal, regT0, addressFor(size));
+
+    // Grab key @ i
+    loadPtr(addressFor(it), regT1);
+    loadPtr(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStrings)), regT2);
+    load32(BaseIndex(regT2, regT0, TimesEight), regT2);
+    store32(Imm32(JSValue::CellTag), tagFor(dst));
+    store32(regT2, payloadFor(dst));
+
+    // Increment i
+    add32(Imm32(1), regT0);
+    store32(regT0, addressFor(i));
+
+    // Verify that i is valid:
+    loadPtr(addressFor(base), regT0);
+
+    // Test base's structure
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
+    callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
+
+    // Test base's prototype chain
+    loadPtr(Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedPrototypeChain))), regT3);
+    loadPtr(Address(regT3, OBJECT_OFFSETOF(StructureChain, m_vector)), regT3);
+    addJump(branchTestPtr(Zero, Address(regT3)), target);
+
+    Label checkPrototype(this);
+    callHasProperty.append(branch32(Equal, Address(regT2, OBJECT_OFFSETOF(Structure, m_prototype) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), Imm32(JSValue::NullTag)));
+    loadPtr(Address(regT2, OBJECT_OFFSETOF(Structure, m_prototype) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT2);
+    loadPtr(Address(regT2, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
+    callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
+    addPtr(Imm32(sizeof(Structure*)), regT3);
+    branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
+
+    // Continue loop.
+    addJump(jump(), target);
+
+    // Slow case: Ask the object if i is valid.
+    callHasProperty.link(this);
+    loadPtr(addressFor(dst), regT1);
+    JITStubCall stubCall(this, cti_has_property);
     stubCall.addArgument(regT0);
+    stubCall.addArgument(regT1);
     stubCall.call();
 
-    Jump endOfIter = branchTestPtr(Zero, regT0);
-    emitStore(dst, regT1, regT0);
-    map(m_bytecodeIndex + OPCODE_LENGTH(op_next_pname), dst, regT1, regT0);
-    addJump(jump(), target);
-    endOfIter.link(this);
+    // Test for valid key.
+    addJump(branchTest32(NonZero, regT0), target);
+    jump().linkTo(begin, this);
+
+    // End of loop.
+    end.link(this);
 }
 
@@ -2373 +2460 @@
 }
 
+void JIT::emit_op_get_pnames(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int base = currentInstruction[2].u.operand;
+    int i = currentInstruction[3].u.operand;
+    int size = currentInstruction[4].u.operand;
+    int breakTarget = currentInstruction[5].u.operand;
+
+    JumpList isNotObject;
+
+    emitGetVirtualRegister(base, regT0);
+    if (!m_codeBlock->isKnownNotImmediate(base))
+        isNotObject.append(emitJumpIfNotJSCell(regT0));
+    if (base != m_codeBlock->thisRegister()) {
+        loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
+        isNotObject.append(branch32(NotEqual, Address(regT2, OBJECT_OFFSETOF(Structure, m_typeInfo.m_type)), Imm32(ObjectType)));
+    }
+
+    // We could inline the case where you have a valid cache, but
+    // this call doesn't seem to be hot.
+    Label isObject(this);
+    JITStubCall getPnamesStubCall(this, cti_op_get_pnames);
+    getPnamesStubCall.addArgument(regT0);
+    getPnamesStubCall.call(dst);
+    load32(Address(regT0, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStringsSize)), regT3);
+    store32(Imm32(0), addressFor(i));
+    store32(regT3, addressFor(size));
+    Jump end = jump();
+
+    isNotObject.link(this);
+    move(regT0, regT1);
+    and32(Imm32(~JSImmediate::ExtendedTagBitUndefined), regT1);
+    addJump(branch32(Equal, regT1, Imm32(JSImmediate::FullTagTypeNull)), breakTarget);
+
+    JITStubCall toObjectStubCall(this, cti_to_object);
+    toObjectStubCall.addArgument(regT0);
+    toObjectStubCall.call(base);
+    jump().linkTo(isObject, this);
+    
+    end.link(this);
+}
+
 void JIT::emit_op_next_pname(Instruction* currentInstruction)
 {
-    JITStubCall stubCall(this, cti_op_next_pname);
-    stubCall.addArgument(currentInstruction[2].u.operand, regT2);
+    int dst = currentInstruction[1].u.operand;
+    int base = currentInstruction[2].u.operand;
+    int i = currentInstruction[3].u.operand;
+    int size = currentInstruction[4].u.operand;
+    int it = currentInstruction[5].u.operand;
+    int target = currentInstruction[6].u.operand;
+    
+    JumpList callHasProperty;
+
+    Label begin(this);
+    load32(addressFor(i), regT0);
+    Jump end = branch32(Equal, regT0, addressFor(size));
+
+    // Grab key @ i
+    loadPtr(addressFor(it), regT1);
+    loadPtr(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_jsStrings)), regT2);
+    loadPtr(BaseIndex(regT2, regT0, TimesEight), regT2);
+    emitPutVirtualRegister(dst, regT2);
+
+    // Increment i
+    add32(Imm32(1), regT0);
+    store32(regT0, addressFor(i));
+
+    // Verify that i is valid:
+    emitGetVirtualRegister(base, regT0);
+
+    // Test base's structure
+    loadPtr(Address(regT0, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
+    callHasProperty.append(branchPtr(NotEqual, regT2, Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedStructure)))));
+
+    // Test base's prototype chain
+    loadPtr(Address(Address(regT1, OBJECT_OFFSETOF(JSPropertyNameIterator, m_cachedPrototypeChain))), regT3);
+    loadPtr(Address(regT3, OBJECT_OFFSETOF(StructureChain, m_vector)), regT3);
+    addJump(branchTestPtr(Zero, Address(regT3)), target);
+
+    Label checkPrototype(this);
+    loadPtr(Address(regT2, OBJECT_OFFSETOF(Structure, m_prototype)), regT2);
+    callHasProperty.append(emitJumpIfNotJSCell(regT2));
+    loadPtr(Address(regT2, OBJECT_OFFSETOF(JSCell, m_structure)), regT2);
+    callHasProperty.append(branchPtr(NotEqual, regT2, Address(regT3)));
+    addPtr(Imm32(sizeof(Structure*)), regT3);
+    branchTestPtr(NonZero, Address(regT3)).linkTo(checkPrototype, this);
+
+    // Continue loop.
+    addJump(jump(), target);
+
+    // Slow case: Ask the object if i is valid.
+    callHasProperty.link(this);
+    emitGetVirtualRegister(dst, regT1);
+    JITStubCall stubCall(this, cti_has_property);
+    stubCall.addArgument(regT0);
+    stubCall.addArgument(regT1);
     stubCall.call();
-    Jump endOfIter = branchTestPtr(Zero, regT0);
-    emitPutVirtualRegister(currentInstruction[1].u.operand);
-    addJump(jump(), currentInstruction[3].u.operand);
-    endOfIter.link(this);
+
+    // Test for valid key.
+    addJump(branchTest32(NonZero, regT0), target);
+    jump().linkTo(begin, this);
+
+    // End of loop.
+    end.link(this);
 }
 

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -701 +701 @@
     // Structure transition, cache transition info
     if (slot.type() == PutPropertySlot::NewProperty) {
-        StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-        if (!prototypeChain->isCacheable() || structure->isDictionary()) {
+        if (structure->isDictionary()) {
             ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_put_by_id_generic));
             return;
         }
+
+        // put_by_id_transition checks the prototype chain for setters.
+        normalizePrototypeChain(callFrame, baseCell);
+
+        StructureChain* prototypeChain = structure->prototypeChain(callFrame);
         stubInfo->initPutByIdTransition(structure->previousID(), structure, prototypeChain);
         JIT::compilePutByIdTransition(callFrame->scopeChain()->globalData, codeBlock, stubInfo, structure->previousID(), structure, slot.cachedOffset(), prototypeChain, returnAddress);
@@ -781 +785 @@
     }
 
-    size_t count = countPrototypeChainEntriesAndCheckForProxies(callFrame, baseValue, slot);
+    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase());
     if (!count) {
         stubInfo->accessType = access_get_by_id_generic;
@@ -788 +792 @@
 
     StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-    if (!prototypeChain->isCacheable()) {
-        ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_get_by_id_generic));
-        return;
-    }
     stubInfo->initGetByIdChain(structure, prototypeChain);
     JIT::compileGetByIdChain(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, prototypeChain, count, slot.cachedOffset(), returnAddress);
@@ -1333 +1333 @@
         if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1))
             ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full));
-    } else if (size_t count = countPrototypeChainEntriesAndCheckForProxies(callFrame, baseValue, slot)) {
-        StructureChain* protoChain = structure->prototypeChain(callFrame);
-        if (!protoChain->isCacheable()) {
-            ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
-            return JSValue::encode(result);
-        }
-        
+    } else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase())) {
         int listIndex;
         PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
+
+        StructureChain* protoChain = structure->prototypeChain(callFrame);
         JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, protoChain, count, slot.cachedOffset());
 
@@ -2672 +2668 @@
     STUB_INIT_STACK_FRAME(stackFrame);
 
-    return JSPropertyNameIterator::create(stackFrame.callFrame, stackFrame.args[0].jsValue());
-}
-
-DEFINE_STUB_FUNCTION(EncodedJSValue, op_next_pname)
-{
-    STUB_INIT_STACK_FRAME(stackFrame);
-
-    JSPropertyNameIterator* it = stackFrame.args[0].propertyNameIterator();
-    JSValue temp = it->next(stackFrame.callFrame);
-    if (!temp)
-        it->invalidate();
-    return JSValue::encode(temp);
+    CallFrame* callFrame = stackFrame.callFrame;
+    JSObject* o = stackFrame.args[0].jsObject();
+    Structure* structure = o->structure();
+    JSPropertyNameIterator* jsPropertyNameIterator = structure->enumerationCache();
+    if (!jsPropertyNameIterator || jsPropertyNameIterator->cachedPrototypeChain() != structure->prototypeChain(callFrame))
+        jsPropertyNameIterator = JSPropertyNameIterator::create(callFrame, o);
+    return jsPropertyNameIterator;
+}
+
+DEFINE_STUB_FUNCTION(int, has_property)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    JSObject* base = stackFrame.args[0].jsObject();
+    JSString* property = stackFrame.args[1].jsString();
+    return base->hasProperty(stackFrame.callFrame, Identifier(stackFrame.callFrame, property->value()));
 }
 
@@ -3024 +3024 @@
 }
 
+DEFINE_STUB_FUNCTION(EncodedJSValue, to_object)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    CallFrame* callFrame = stackFrame.callFrame;
+    return JSValue::encode(stackFrame.args[0].jsValue().toObject(callFrame));
+}
+
 } // namespace JSC
 

trunk/JavaScriptCore/jit/JITStubs.h

@@ -64 +64 @@
 
         JSValue jsValue() { return JSValue::decode(asEncodedJSValue); }
+        JSObject* jsObject() { return static_cast<JSObject*>(asPointer); }
         Identifier& identifier() { return *static_cast<Identifier*>(asPointer); }
         int32_t int32() { return asInt32; }
@@ -286 +287 @@
     EncodedJSValue JIT_STUB cti_op_mul(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_negate(STUB_ARGS_DECLARATION);
-    EncodedJSValue JIT_STUB cti_op_next_pname(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_not(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_nstricteq(STUB_ARGS_DECLARATION);
@@ -308 +308 @@
     EncodedJSValue JIT_STUB cti_op_urshift(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_vm_throw(STUB_ARGS_DECLARATION);
+    EncodedJSValue JIT_STUB cti_to_object(STUB_ARGS_DECLARATION);
     JSObject* JIT_STUB cti_op_construct_JSConstruct(STUB_ARGS_DECLARATION);
     JSObject* JIT_STUB cti_op_new_array(STUB_ARGS_DECLARATION);
@@ -333 +334 @@
     int JIT_STUB cti_op_loop_if_true(STUB_ARGS_DECLARATION);
     int JIT_STUB cti_timeout_check(STUB_ARGS_DECLARATION);
+    int JIT_STUB cti_has_property(STUB_ARGS_DECLARATION);
     void JIT_STUB cti_op_create_arguments(STUB_ARGS_DECLARATION);
     void JIT_STUB cti_op_create_arguments_no_params(STUB_ARGS_DECLARATION);

trunk/JavaScriptCore/parser/Nodes.cpp

@@ -1469 +1469 @@
         return emitThrowError(generator, ReferenceError, "Left side of for-in statement is not a reference.");
 
-    RefPtr<Label> continueTarget = generator.newLabel(); 
-
     generator.emitDebugHook(WillExecuteStatement, firstLine(), lastLine());
 
     if (m_init)
         generator.emitNode(generator.ignoredResult(), m_init);
-    RegisterID* forInBase = generator.emitNode(m_expr);
-    RefPtr<RegisterID> iter = generator.emitGetPropertyNames(generator.newTemporary(), forInBase);
+
+    RefPtr<RegisterID> base = generator.newTemporary();
+    generator.emitNode(base.get(), m_expr);
+    RefPtr<RegisterID> i = generator.newTemporary();
+    RefPtr<RegisterID> size = generator.newTemporary();
+    RefPtr<RegisterID> iter = generator.emitGetPropertyNames(generator.newTemporary(), base.get(), i.get(), size.get(), scope->breakTarget());
     generator.emitJump(scope->continueTarget());
 
@@ -1518 +1520 @@
 
     generator.emitLabel(scope->continueTarget());
-    generator.emitNextPropertyName(propertyName, iter.get(), loopStart.get());
+    generator.emitNextPropertyName(propertyName, base.get(), i.get(), size.get(), iter.get(), loopStart.get());
     generator.emitDebugHook(WillExecuteStatement, firstLine(), lastLine());
     generator.emitLabel(scope->breakTarget());

trunk/JavaScriptCore/runtime/JSCell.h

@@ -113 +113 @@
     };
 
-    // FIXME: We should deprecate this and just use JSValue::asCell() instead.
-    JSCell* asCell(JSValue);
-
-    inline JSCell* asCell(JSValue value)
-    {
-        return value.asCell();
-    }
-
     inline JSCell::JSCell(Structure* structure)
         : m_structure(structure)

trunk/JavaScriptCore/runtime/JSObject.cpp

@@ -444 +444 @@
 void JSObject::getPropertyNames(ExecState* exec, PropertyNameArray& propertyNames)
 {
-    bool shouldCache = propertyNames.shouldCache() && !(propertyNames.size() || m_structure->isDictionary());
-
-    if (shouldCache) {
-        if (PropertyNameArrayData* data = m_structure->enumerationCache()) {
-            if (data->cachedPrototypeChain() == m_structure->prototypeChain(exec)) {
-                propertyNames.setData(data);
-                return;
-            }
-
-            m_structure->clearEnumerationCache();
-        }
-    }
-
     getOwnPropertyNames(exec, propertyNames);
 
-    if (prototype().isObject()) {
-        propertyNames.setShouldCache(false); // No need for our prototypes to waste memory on caching, since they're not being enumerated directly.
-        JSObject* prototype = asObject(this->prototype());
-        while(1) {
-            if (prototype->structure()->typeInfo().overridesGetPropertyNames()) {
-                prototype->getPropertyNames(exec, propertyNames);
-                break;
-            }
-            prototype->getOwnPropertyNames(exec, propertyNames);
-            JSValue nextProto = prototype->prototype();
-            if (!nextProto.isObject())
-                break;
-            prototype = asObject(nextProto);
-        }
-    }
-
-    if (shouldCache) {
-        StructureChain* protoChain = m_structure->prototypeChain(exec);
-        if (!protoChain->isCacheable())
-            return;
-        RefPtr<PropertyNameArrayData> data = propertyNames.data();
-        data->setCachedPrototypeChain(protoChain);
-        data->setCachedStructure(m_structure);
-        m_structure->setEnumerationCache(data.release());
+    if (prototype().isNull())
+        return;
+
+    JSObject* prototype = asObject(this->prototype());
+    while(1) {
+        if (prototype->structure()->typeInfo().overridesGetPropertyNames()) {
+            prototype->getPropertyNames(exec, propertyNames);
+            break;
+        }
+        prototype->getOwnPropertyNames(exec, propertyNames);
+        JSValue nextProto = prototype->prototype();
+        if (nextProto.isNull())
+            break;
+        prototype = asObject(nextProto);
     }
 }

trunk/JavaScriptCore/runtime/JSPropertyNameIterator.cpp

@@ -30 +30 @@
 #include "JSPropertyNameIterator.h"
 
+#include "JSGlobalObject.h"
+
 namespace JSC {
 
 ASSERT_CLASS_FITS_IN_CELL(JSPropertyNameIterator);
 
-JSPropertyNameIterator::~JSPropertyNameIterator()
+JSPropertyNameIterator* JSPropertyNameIterator::create(ExecState* exec, JSObject* o)
 {
+    ASSERT(!o->structure()->enumerationCache() ||
+            o->structure()->enumerationCache()->cachedStructure() != o->structure() ||
+            o->structure()->enumerationCache()->cachedPrototypeChain() != o->structure()->prototypeChain(exec));
+
+    PropertyNameArray propertyNames(exec);
+    o->getPropertyNames(exec, propertyNames);
+    JSPropertyNameIterator* jsPropertyNameIterator = new (exec) JSPropertyNameIterator(exec, propertyNames.data());
+
+    if (o->structure()->isDictionary())
+        return jsPropertyNameIterator;
+
+    if (o->structure()->typeInfo().overridesGetPropertyNames())
+        return jsPropertyNameIterator;
+    
+    size_t count = normalizePrototypeChain(exec, o);
+    StructureChain* structureChain = o->structure()->prototypeChain(exec);
+    RefPtr<Structure>* structure = structureChain->head();
+    for (size_t i = 0; i < count; ++i) {
+        if (structure[i]->typeInfo().overridesGetPropertyNames())
+            return jsPropertyNameIterator;
+    }
+
+    jsPropertyNameIterator->setCachedPrototypeChain(structureChain);
+    jsPropertyNameIterator->setCachedStructure(o->structure());
+    o->structure()->setEnumerationCache(jsPropertyNameIterator);
+    return jsPropertyNameIterator;
+}
+
+JSValue JSPropertyNameIterator::get(ExecState* exec, JSObject* base, size_t i)
+{
+    JSValue& identifier = m_jsStrings[i];
+    if (m_cachedStructure == base->structure() && m_cachedPrototypeChain == base->structure()->prototypeChain(exec))
+        return identifier;
+
+    if (!base->hasProperty(exec, Identifier(exec, asString(identifier)->value())))
+        return JSValue();
+    return identifier;
 }
 
 void JSPropertyNameIterator::markChildren(MarkStack& markStack)
 {
-    JSCell::markChildren(markStack);
-    if (m_object)
-        markStack.append(m_object);
-}
-
-void JSPropertyNameIterator::invalidate()
-{
-    ASSERT(m_position == m_end);
-    m_object = 0;
-    m_data.clear();
+    markStack.appendValues(m_jsStrings.get(), m_jsStringsSize, MayContainNullValues);
 }
 

trunk/JavaScriptCore/runtime/JSPropertyNameIterator.h

@@ -32 +32 @@
 #include "JSObject.h"
 #include "JSString.h"
+#include "Operations.h"
 #include "PropertyNameArray.h"
 
@@ -40 +41 @@
 
     class JSPropertyNameIterator : public JSCell {
+        friend class JIT;
+
     public:
-        static JSPropertyNameIterator* create(ExecState*, JSValue);
-
-        virtual ~JSPropertyNameIterator();
-
-        virtual void markChildren(MarkStack&);
-
-        JSValue next(ExecState*);
-        void invalidate();
+        static JSPropertyNameIterator* create(ExecState*, JSObject*);
         
         static PassRefPtr<Structure> createStructure(JSValue prototype)
@@ -54 +50 @@
             return Structure::create(prototype, TypeInfo(CompoundType, OverridesMarkChildren));
         }
+
+        virtual void markChildren(MarkStack&);
+
+        JSValue get(ExecState*, JSObject*, size_t i);
+        size_t size() { return m_jsStringsSize; }
+
+        void setCachedStructure(Structure* structure) { m_cachedStructure = structure; }
+        Structure* cachedStructure() { return m_cachedStructure; }
+
+        void setCachedPrototypeChain(NonNullPassRefPtr<StructureChain> cachedPrototypeChain) { m_cachedPrototypeChain = cachedPrototypeChain; }
+        StructureChain* cachedPrototypeChain() { return m_cachedPrototypeChain.get(); }
+
     private:
-        JSPropertyNameIterator(ExecState*);
-        JSPropertyNameIterator(ExecState*, JSObject*, PassRefPtr<PropertyNameArrayData> propertyNameArrayData);
+        JSPropertyNameIterator(ExecState*, PropertyNameArrayData* propertyNameArrayData);
 
-        JSObject* m_object;
-        RefPtr<PropertyNameArrayData> m_data;
-        PropertyNameArrayData::const_iterator m_position;
-        PropertyNameArrayData::const_iterator m_end;
+        Structure* m_cachedStructure;
+        RefPtr<StructureChain> m_cachedPrototypeChain;
+        size_t m_jsStringsSize;
+        OwnArrayPtr<JSValue> m_jsStrings;
     };
 
-inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec)
+inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec, PropertyNameArrayData* propertyNameArrayData)
     : JSCell(exec->globalData().propertyNameIteratorStructure.get())
-    , m_object(0)
-    , m_position(0)
-    , m_end(0)
+    , m_cachedStructure(0)
+    , m_jsStringsSize(propertyNameArrayData->propertyNameVector().size())
+    , m_jsStrings(new JSValue[m_jsStringsSize])
 {
+    PropertyNameArrayData::PropertyNameVector& propertyNameVector = propertyNameArrayData->propertyNameVector();
+    for (size_t i = 0; i < m_jsStringsSize; ++i)
+        m_jsStrings[i] = jsOwnedString(exec, propertyNameVector[i].ustring());
 }
 
-inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec, JSObject* object, PassRefPtr<PropertyNameArrayData> propertyNameArrayData)
-    : JSCell(exec->globalData().propertyNameIteratorStructure.get())
-    , m_object(object)
-    , m_data(propertyNameArrayData)
-    , m_position(m_data->begin())
-    , m_end(m_data->end())
+inline void Structure::setEnumerationCache(JSPropertyNameIterator* enumerationCache)
 {
-}
-
-inline JSPropertyNameIterator* JSPropertyNameIterator::create(ExecState* exec, JSValue v)
-{
-    if (v.isUndefinedOrNull())
-        return new (exec) JSPropertyNameIterator(exec);
-
-    JSObject* o = v.toObject(exec);
-    PropertyNameArray propertyNames(exec);
-    o->getPropertyNames(exec, propertyNames);
-    return new (exec) JSPropertyNameIterator(exec, o, propertyNames.releaseData());
-}
-
-inline JSValue JSPropertyNameIterator::next(ExecState* exec)
-{
-    if (m_position == m_end)
-        return JSValue();
-
-    if (m_data->cachedStructure() == m_object->structure() && m_data->cachedPrototypeChain() == m_object->structure()->prototypeChain(exec))
-        return jsOwnedString(exec, (*m_position++).ustring());
-
-    do {
-        if (m_object->hasProperty(exec, *m_position))
-            return jsOwnedString(exec, (*m_position++).ustring());
-        m_position++;
-    } while (m_position != m_end);
-
-    return JSValue();
+    ASSERT(!isDictionary());
+    m_enumerationCache = enumerationCache;
 }
 

trunk/JavaScriptCore/runtime/JSValue.h

@@ -374 +374 @@
     }
 
+    // FIXME: We should deprecate this and just use JSValue::asCell() instead.
+    JSCell* asCell(JSValue);
+
+    inline JSCell* asCell(JSValue value)
+    {
+        return value.asCell();
+    }
+
     ALWAYS_INLINE int32_t JSValue::toInt32(ExecState* exec) const
     {

trunk/JavaScriptCore/runtime/MarkStack.h

@@ -48 +48 @@
 
         ALWAYS_INLINE void append(JSValue);
-        ALWAYS_INLINE void append(JSCell*);
+        void append(JSCell*);
         
         ALWAYS_INLINE void appendValues(Register* values, size_t count, MarkSetProperties properties = NoNullValues)

trunk/JavaScriptCore/runtime/ObjectConstructor.cpp

@@ -126 +126 @@
 }
 
+// FIXME: Use the enumeration cache.
 JSValue JSC_HOST_CALL objectConstructorKeys(ExecState* exec, JSObject*, JSValue, const ArgList& args)
 {

trunk/JavaScriptCore/runtime/Operations.h

@@ -225 +225 @@
     }
 
-    inline size_t countPrototypeChainEntriesAndCheckForProxies(CallFrame* callFrame, JSValue baseValue, const PropertySlot& slot)
-    {
-        JSCell* cell = asCell(baseValue);
+    inline size_t normalizePrototypeChain(CallFrame* callFrame, JSValue base, JSValue slotBase)
+    {
+        JSCell* cell = asCell(base);
         size_t count = 0;
 
-        while (slot.slotBase() != cell) {
+        while (slotBase != cell) {
             JSValue v = cell->structure()->prototypeForLookup(callFrame);
 
-            // If we didn't find slotBase in baseValue's prototype chain, then baseValue
+            // If we didn't find slotBase in base's prototype chain, then base
             // must be a proxy for another object.
 
@@ -251 +251 @@
         ASSERT(count);
         return count;
+    }
+
+    inline size_t normalizePrototypeChain(CallFrame* callFrame, JSCell* base)
+    {
+        size_t count = 0;
+        while (1) {
+            JSValue v = base->structure()->prototypeForLookup(callFrame);
+            if (v.isNull())
+                return count;
+
+            base = asCell(v);
+
+            // Since we're accessing a prototype in a loop, it's a good bet that it
+            // should not be treated as a dictionary.
+            if (base->structure()->isDictionary())
+                asObject(base)->setStructure(Structure::fromDictionaryTransition(base->structure()));
+
+            ++count;
+        }
     }
 

trunk/JavaScriptCore/runtime/PropertyNameArray.cpp

@@ -48 +48 @@
     }
 
-    m_data->propertyNameVector().append(Identifier(m_globalData, identifier));
+    addKnownUnique(identifier);
 }
 

trunk/JavaScriptCore/runtime/PropertyNameArray.h

@@ -25 +25 @@
 #include "Identifier.h"
 #include <wtf/HashSet.h>
+#include <wtf/OwnArrayPtr.h>
 #include <wtf/Vector.h>
 
@@ -32 +33 @@
     class StructureChain;
 
+    // FIXME: Rename to PropertyNameArray.
     class PropertyNameArrayData : public RefCounted<PropertyNameArrayData> {
     public:
         typedef Vector<Identifier, 20> PropertyNameVector;
-        typedef PropertyNameVector::const_iterator const_iterator;
 
         static PassRefPtr<PropertyNameArrayData> create() { return adoptRef(new PropertyNameArrayData); }
 
-        const_iterator begin() const { return m_propertyNameVector.begin(); }
-        const_iterator end() const { return m_propertyNameVector.end(); }
-
         PropertyNameVector& propertyNameVector() { return m_propertyNameVector; }
-
-        void setCachedStructure(Structure* structure) { m_cachedStructure = structure; }
-        Structure* cachedStructure() const { return m_cachedStructure; }
-
-        void setCachedPrototypeChain(NonNullPassRefPtr<StructureChain> cachedPrototypeChain) { m_cachedPrototypeChain = cachedPrototypeChain; }
-        StructureChain* cachedPrototypeChain() { return m_cachedPrototypeChain.get(); }
 
     private:
         PropertyNameArrayData()
-            : m_cachedStructure(0)
         {
         }
 
         PropertyNameVector m_propertyNameVector;
-        Structure* m_cachedStructure;
-        RefPtr<StructureChain> m_cachedPrototypeChain;
     };
 
+    // FIXME: Rename to PropertyNameArrayBuilder.
     class PropertyNameArray {
     public:
-        typedef PropertyNameArrayData::const_iterator const_iterator;
-
         PropertyNameArray(JSGlobalData* globalData)
             : m_data(PropertyNameArrayData::create())
@@ -85 +73 @@
         void addKnownUnique(UString::Rep* identifier) { m_data->propertyNameVector().append(Identifier(m_globalData, identifier)); }
 
-        size_t size() const { return m_data->propertyNameVector().size(); }
-
         Identifier& operator[](unsigned i) { return m_data->propertyNameVector()[i]; }
         const Identifier& operator[](unsigned i) const { return m_data->propertyNameVector()[i]; }
 
-        const_iterator begin() const { return m_data->begin(); }
-        const_iterator end() const { return m_data->end(); }
-
         void setData(PassRefPtr<PropertyNameArrayData> data) { m_data = data; }
         PropertyNameArrayData* data() { return m_data.get(); }
-
         PassRefPtr<PropertyNameArrayData> releaseData() { return m_data.release(); }
 
-        void setShouldCache(bool shouldCache) { m_shouldCache = shouldCache; }
-        bool shouldCache() const { return m_shouldCache; }
+        // FIXME: Remove these functions.
+        typedef PropertyNameArrayData::PropertyNameVector::const_iterator const_iterator;
+        size_t size() const { return m_data->propertyNameVector().size(); }
+        const_iterator begin() const { return m_data->propertyNameVector().begin(); }
+        const_iterator end() const { return m_data->propertyNameVector().end(); }
 
     private:

trunk/JavaScriptCore/runtime/Protect.h

@@ -23 +23 @@
 #define Protect_h
 
-#include "JSCell.h"
 #include "Collector.h"
+#include "JSValue.h"
 
 namespace JSC {

trunk/JavaScriptCore/runtime/Structure.cpp

@@ -29 +29 @@
 #include "Identifier.h"
 #include "JSObject.h"
+#include "JSPropertyNameIterator.h"
+#include "Lookup.h"
 #include "PropertyNameArray.h"
 #include "StructureChain.h"
-#include "Lookup.h"
 #include <wtf/RefCountedLeakCounter.h>
 #include <wtf/RefPtr.h>
@@ -160 +161 @@
 
     }
-
-    if (m_cachedPropertyNameArrayData)
-        m_cachedPropertyNameArrayData->setCachedStructure(0);
+    
+    if (m_enumerationCache)
+        m_enumerationCache->setCachedStructure(0);
 
     if (m_propertyTable) {
@@ -281 +282 @@
         insertIntoPropertyMapHashTable(entry);
     }
-}
-
-void Structure::clearEnumerationCache()
-{
-    if (m_cachedPropertyNameArrayData)
-        m_cachedPropertyNameArrayData->setCachedStructure(0);
-    m_cachedPropertyNameArrayData.clear();
 }
 
@@ -553 +547 @@
 size_t Structure::addPropertyWithoutTransition(const Identifier& propertyName, unsigned attributes, JSCell* specificValue)
 {
+    ASSERT(!m_enumerationCache);
     materializePropertyMapIfNecessary();
 
@@ -559 +554 @@
     if (propertyStorageSize() > propertyStorageCapacity())
         growPropertyStorageCapacity();
-    clearEnumerationCache();
     return offset;
 }
@@ -566 +560 @@
 {
     ASSERT(isUncacheableDictionary());
+    ASSERT(!m_enumerationCache);
 
     materializePropertyMapIfNecessary();
@@ -571 +566 @@
     m_isPinnedPropertyTable = true;
     size_t offset = remove(propertyName);
-    clearEnumerationCache();
     return offset;
 }

trunk/JavaScriptCore/runtime/Structure.h

@@ -32 +32 @@
 #include "PropertyMapHashTable.h"
 #include "PropertyNameArray.h"
+#include "Protect.h"
 #include "StructureChain.h"
 #include "StructureTransitionTable.h"
@@ -124 +125 @@
         void despecifyDictionaryFunction(const Identifier& propertyName);
 
-        void setEnumerationCache(PassRefPtr<PropertyNameArrayData> data) { m_cachedPropertyNameArrayData = data; }
-        PropertyNameArrayData* enumerationCache() { return m_cachedPropertyNameArrayData.get(); }
-        void clearEnumerationCache();
+        void setEnumerationCache(JSPropertyNameIterator* enumerationCache); // Defined in JSPropertyNameIterator.h.
+        JSPropertyNameIterator* enumerationCache() { return m_enumerationCache.get(); }
         void getEnumerablePropertyNames(PropertyNameArray&);
 
@@ -187 +187 @@
         StructureTransitionTable table;
 
-        RefPtr<PropertyNameArrayData> m_cachedPropertyNameArrayData;
+        ProtectedPtr<JSPropertyNameIterator> m_enumerationCache;
 
         PropertyMapHashTable* m_propertyTable;

trunk/JavaScriptCore/runtime/StructureChain.cpp

@@ -47 +47 @@
 }
 
-bool StructureChain::isCacheable() const
-{
-    uint32_t i = 0;
-    
-    while (m_vector[i]) {
-        // Both classes of dictionary structure may change arbitrarily so we can't cache them
-        if (m_vector[i]->isDictionary())
-            return false;
-        if (m_vector[i++]->typeInfo().overridesGetPropertyNames())
-            return false;
-    }
-    return true;
-}
-
 } // namespace JSC

trunk/JavaScriptCore/runtime/StructureChain.h

@@ -37 +37 @@
 
     class StructureChain : public RefCounted<StructureChain> {
+        friend class JIT;
+
     public:
         static PassRefPtr<StructureChain> create(Structure* head) { return adoptRef(new StructureChain(head)); }
         RefPtr<Structure>* head() { return m_vector.get(); }
-        bool isCacheable() const;
 
     private: